Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitch A recent Windows 7 update partially bricks computers that have an Asus motherboard fitted, it emerged this week. Windows 7 machines that have installed Microsoft's KB3133977 update may trigger a "secure boot violation" during startup, preventing the PC from loading the operating system, Asus said. Though the KB3133977 patch …
"Why would you even have secure boot enabled on a Windows 7 system?"
It's supported by default on newer Asus motherboards but Windows 7 doesn't use it. The update makes the firmware think Secure Boot is supported by the operating system, but really the OS cannot/does not ultimately provide the signatures needed, so the boot fails.
I suspect - and we're waiting for more info from Microsoft - that the updated BitLocker drive encryption code that loads before the OS is run is cocking up the process: the firmware believes it's booting a Secure Boot OS but it's really not. Possibly.
C.
I have an Asus P9X79 Pro motherboard, and I installed on it Windows 7 a couple of years ago with the default secure boot settings (enabled) and it worked fine until I installed the update. Then the message stating the secure boot checks failed appeared.
I sent The Register a mail about it days ago, before it became an update installed by default. There were already threads about it in Microsoft support forums, thereby Microsoft was well aware of it and I'm "very surprised" it decided to make it installed by default knowing it would have caused not a few PC not to boot. Unless it was exactly another way to nag user to install Windows 10.
Moreover, secure boot failure message are not really very informative and helpful.
BTW: the way you disable secure boot on Asus boards may depend on the model and UEFI interface.
Um, i think you'll find people have been posting without reading the article for years.
This is about a feature that asus put on old pcs. Is also about the grief ms get for trying to support relatively ancient systems (if you have an android handset you know how quickly a machine can become outdated). It's not about ms trying to stop you installing linux.
"This is about a feature that asus put on old pcs. Is also about the grief ms get for trying to support relatively ancient systems (if you have an android handset you know how quickly a machine can become outdated). It's not about ms trying to stop you installing linux."
Fair point, but they clearly didn't do adequate regression testing and the guys doing the work clearly didn't understand the full implications of what they were up to. I would have thought a multibillion dollar multinational that took an active part in developing SecureBoot would be capable of getting this right before release. It's not as if they're short of skilled devs & cash to pay them.
No, siree! An honest to God and trusted company like Microsoft would never dream of locking the PC hardware and prevent you from installing Linux. They are just trying to prevent you from installing anything but what they want you to have on their PC (I said their PC because with them controlling the boot process the computer is no longer yours).
Fixing the UEFI BIOS by disabling secure boot (setting it to "Other OS") worked, BUT:
That still left me with two notices that appeared at boot, both of which I had to click through. One said, <Asus Setup C:\Users\******\AppData\Local\Temp\211540Log.iniis lost> and the other was identical except that it referenced 211241Log.iniis lost>.
More Googling suggested entering Task Scheduler and deleting or disabling the i-21 entries. I did so and disabled them both; upon reboot both notices were gone and did not return. Whee! Note I went to Control Panel\Administrative Tools\Task Scheduler, not Task Manager.
"A recent Windows 7 update partially bricks computers that have an Asus motherboard fitted, it emerged this week."
Either it bricks them or it doesn't. Reading the article implies it does nothing of the sort. And it's not a Microsoft issue.
"Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitch "
So actually it's more like "Asus Windows 7 PCs fail to boot due to UEFI bios glitch" - but I guess that wouldn't get as many clicks?
The answer is simple - be like that California woman (see http://www.theregister.co.uk/2016/06/27/woman_microsoft_windows_10_upgrades/) and take them to the small claims tribunal where they are prohibited from sending along a lawyer (but make sure their representative has no legal training because you can be fairly sure that they will try that trick if they think they can get away with it).
You are then on equal footing with one of their sales droid and in front of an judge who only has to decide on whether the "patch" was fit for purpose
This post has been deleted by its author
You mean like clean installs of windows 7 that when you install updates, you end up with a borked windows update subsystem that takes major messing around with the get working again.
Seen this exact behaviour on about 20 rebuilds now. It happened around about the same time as windows 10 nagware propaganda started. It's as if they didn't want me trying to fix win7 windows update and install windows 10 instead.
I just got a brand new laptop and the manufacturers advised not to use Linux because the drivers might not be available - stuck the latest Xubuntu on it and everything works like a dream. There are a couple of proprietary drivers on offer but I haven't bothered to find out what they do to see if they're worth installing.
Only heard of one machine with a driver problem under linux lately and that was where the bios/uefi had a bug so a quick update and sorted.
"I just got a brand new laptop and the manufacturers advised not to use Linux because the drivers might not be availableI just got a brand new laptop and the manufacturers advised not to use Linux because the drivers might not be available"
That's just fscking laziness on the part of the manufacture. What would it cost them to do a test install of a few popular Linux distros and maybe a couple of xBSDs and then advertise that such and such an OS, version x.x was tested and worked ok with all the inbuilt hardware. They don't have to care about updates or new/old drivers. Just that it worked with a specific version. They already do that with Windows and to a far greater extent so they can have the special permission from MS to put a sticker on the case.
It may or may not generate lots of sales, but I bet it would at least generate enough to more than cover the day or two it would take to run some simple tests.
> There is always an alternative to Windows that is not Ubuntu.
What a dumb statement. There's always an alternative to something if you don't need it. Like starving to death is an alternative to eating. But it's not a *good* substitute.
Likewise, while there are other OSs besides Windows, there are a ton of valuable Windows applications that do not run on other OSs, and don't have compatible substitutes if even any substitutes Since people who are not hermits and use their computers for work often have to share documents with Windows users, an incompatible "alternative" won't suffice, either.
What would be nice is a genuine fully-compatible Windows substitute that could run all Windows applications, but Microsoft has gone to great lengths to make that virtually impossible. WINE is a cute toy but doesn't cut it in the real world of business computing.
What's all with the negativity !
Look you are complaining that's there is no alternative but you are not going to try any other OS ?
How do you think that MS became so popular, because people used it !
Now you want a completely compatible OS to windows that can run all your Windows software etc, then use Windows and be damned !
You state almost like its factual that there are a ton of Windows applications that do not run on other OS's, well in a Windows VM running under Linux I dispute what you say !
Also many businesses are capable of using the various Office software's that are available on Linux and there are several Libre Office, WPS Office and several others here's a link for a review on Office software on Linux but you have to remember that t was done in 2013 and Linux has come on leaps and bounds since then. http://www.techradar.com/news/software/applications/best-office-suites-for-linux-5-reviewed-and-rated-1146417/1
There is always an alternative to Windows that is not Ubuntu.
Agreed. How many times have I said it in the past...
Linux is NOT Ubuntu. Nor is it Mint, RedHat, SUSE, Debian, Arch, Gentoo, Puppy, Slackware or any other distro you care to mention. If anything, distro evangelists do more damage than good when it comes to situations like this.
This happened to me with a Z97-A mobo that had been happily working in UEFI mode with Windows 7 for a year. The answer given by Asus seems a bit extreme - to keep UEFI mode but disable secure boot, the Delete PK option deletes the Secure Boot keys - at least, I think that's what I did. The Asus menus didn't have a simple enable or disable secure boot option and it took a bit of digging in key management before I found an option that warned me secure boot would be disabled if I proceeded.
I don't remember ever setting up a secure boot option when I built the PC but as it's not supported in Windows 7 and it booted, I assumed all was ok!
I had the same on my home PC a few weeks back. Hours of hair pulling to figure out what was wrong. Fixed it, then last week two "home-brew" number crunching machines at work (bought in from specialist builders and that moved to our centre with a research group) went the same way. The BIOS screens were vastly different from mobo to mobo though, making it hard to find exactly where to make the tweak - on mine it was under advanced boot settings, on the other two it was under security on one and advanced settings - key management on the other . Anyway my reputation as a miracle worker upheld.
Same happened to a friends PC, however, the problem was blamed on a recently installed game, and hence hours of looking in all the wrong places.
A quick internet search brought up a youtube video that hadn't got a tenth the way through its explanation, before the secure boot light bulb turned on.
Never encountered it before, and yes my WIN 7 machine has it enabled too, but it is air-gapped from the net, and hasn't had any updates for years, hence it was a new one on me.
Pity he saw me cribbing from the net, otherwise my genius status, would have risen a few notches.
Still, as long as some friends continue to refuse to go down the Linux route, I can always count on getting free beer and snacks every other week, from despairing Microsofties.
If the mobo has Secure Boot enabled, that infers it'll boot in UEFI mode, which implies either an entry in the firmware's boot menu, or the boot device has a removable media (simple) boot path loader at /EFI/BOOT/BOOTx64.EFI in an EFI System Partition, and that the boot-loader has a signing certificate indicating it was signed by a key trusted by a Certificate Authority embedded in the firmware.
It sounds as if the Asus firmware is doing something that isn't in the UEFI specification - namely when Secure Boot is enabled it isn't actually enabled so much as *optional* - if the initial boot-loader stub it reads doesn't have a signing certificate attached the firmware will boot with Secure Boot disabled.
If the MS KB3133977 update contains a boot-loader that is signed that would trigger Secure-Boot mode, but when the next stage is loaded and is found not to be signed it throws the reported error.
If this is correct then the Asus firmware could very easily mislead a user into believing a Secure Boot happened with an OS that does support Secure Boot when it didn't - any malware or physical intervention could replace the initial EFI stub with an unsigned version and the system would boot without a warning.
I hope this hypothesis is proved wrong else that's a big security FAIL on Asus' part.
If you're interested in the attack vectors I recommend reading this Intel & Phoenix "UEFI Secure Boot in Modern Computer Security Solutions" paper [0] and footnote 1 on page 7 and its reference 21 link to the Blackhat USA 2013 paper "A Tale of One Software Bypass of Windows 8 Secure Boot" [1].
[0] http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf
[1] http://www.c7zero.info/stuff/Windows8SecureBoot_Bulygin-Furtak-Bazhniuk_BHUSA2013.pdf
If your hypothesis is right* then someone at a vulture desk will owe MS an apology for the title of this article. It would in that case be Asus causes some of its motherboards to crash** after faulty UEFI implementation.
* I have nothing to add on that point.
** Brick is the wrong verb here.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
